Media Library Assistant
Moderate fix1 remedy
cpe:2.3:a:media_library_assistant_project:media_library_assistant:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.29
Media Library Assistant Unauthenticated Limited File Read Vulnerability
Vulnerability
Patched
A limited file reading vulnerability has been identified in the Media Library Assistant plugin for WordPress, affecting all versions through 3.29. The issue arises in the 'mla-stream-image.php' file, where unauthenticated attackers can read the contents of arbitrary AI, EPS, PDF, or PS files on the server, potentially exposing sensitive information.
Impact
Exploitation of this vulnerability allows for unauthorized access to the contents of specific file types on the server, which could include sensitive information.
Reproduction
The vulnerability can be reproduced by sending a request to the 'admin-ajax.php' endpoint with the 'mla_stream_file' action. This request must include an encrypted 'mla_item' parameter that specifies the name, ID, and date of a media library item. The 'mla_stream_file' parameter should be set to the file path of a targeted PDF, AI, EPS, or PS file on the server.
Remediation
Users are advised to update the Media Library Assistant plugin to version 3.30 or later.
Added: Oct 18, 2025, 6:18 AM
Updated: Oct 18, 2025, 6:18 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
3.3exploitability
7.4remediation
7.7relevance
0.8threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.